How to open or close ports using Iptables on Linux?

Iptables is a firewall installed to protect your server from unwanted traffic or access. Generally, all ports are open in a firewall. The main goal of this is to make sure that all users can connect and use any services they want. However, you can open or close any port on your firewall.

Here are the steps to open or close ports in Iptables firewall for both Ubuntu and Centos distribution.

Prerequisite

Sudo access to Ubuntu/Centos server with Iptable installed in it.

Steps to open or close ports

1. Using Sudo access, connect to your server and list the rules that are currently configured for Iptables. Use the command: sudo iptables -L

The output will display the current configured rules. See below.

root@:~# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
 ACCEPT     all  --  anywhere             anywhere
 ACCEPT     all  --  anywhere             anywhere
 ACCEPT     icmp --  anywhere             anywhere
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:1167
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:zabbix-agent
 ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
 Chain FORWARD (policy DROP)
 target     prot opt source               destination
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 root@:~#

2. Take a backup of Iptable rules. This step is important as in case of any issue with configuration of Iptables, you’ll still have the backup to restore rules.

Use the commands mentioned below to save an Iptable rule:

iptables-save > IPtablesbackup.txt

3. Open a port with the Iptables by adding a rule. Use the command: sudo iptables -A INPUT -p tcp --dport xxxx -j ACCEPT

Note: Replace xxxx with the required port number you want to open

For example, if you wish to open a 3306 port of MySQL, run the command: sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

It basically tells Iptables to publicly accept connections to MySQL.

As mentioned in step no. 1 you can check this with iptables -L

root@:~# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
 ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
 ACCEPT     all  --  anywhere             anywhere
 ACCEPT     all  --  anywhere             anywhere
 ACCEPT     icmp --  anywhere             anywhere
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:1167
 ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:zabbix-agent
 ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
 Chain FORWARD (policy DROP)
 target     prot opt source               destination
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 root@:~#
If you want to remove the recently added rule, you can use the following command: sudo iptables -D INPUT -p tcp --dport xxxx -j ACCEPT

If you don't want to open the port publicly, you can open it for a Single IP.

Use the command below to open port only for Single IP: sudo iptables -A INPUT -p tcp -s your_server_ip --dport xxxx -j ACCEPT

Note: Please replace your_server_ip with required IP and xxxx with required port in above command

4. Once you have added the rules, save them, and make them permanent. If you are using Ubuntu, you can use Iptables-persistent and for Centos, you can use Iptables Save command.

Use the following commands to save/reload Iptables rules on Ubuntu 14.04:

sudo /etc/init.d/iptables-persistent save
sudo /etc/init.d/iptables-persistent reload

Use the following command on Ubuntu 16.04 and Ubuntu 18.04:

sudo netfilter-persistent save
sudo netfilter-persistent reload

If you are using Centos, use the command: service iptables save

5. If you face any problem with your Iptables configuration rule, you can revert the changes with below command and restore the file which was backed up in step 2iptables-restore < IPtablesbackup.txt

Ask a question

"Hey couldn't find what you were looking for in our knowledgebase? Please enter your question here".

First Name *
Last Name *
Email Address *
Question *
Captcha *